Summary

Recent reports of Internet-scale traffic redirection based on BGP route hijacking, for perpetration of man-in-the-middle (at distance) attacks, have put major institutions and network service providers in alert. A compromised BGP router, by means of direct hacking or indirectly by hacking network manager computers, allows the injection of specifically crafted route announcements into the global routing infrastructure forcing illicit traffic-redirections into networks where man-in-the-middle are viable (see AttackVector.png in attachment).

Corporate customers have to content with a helpless bystander and victim roles due to the lack of tools to detect and counter-act Internet-scale traffic redirection. An world-wide redirection of target traffic will compromise unencrypted communications and allow the deployment of various attacks on encrypted communications. Most corporate network managers rely on ISP to guarantee their traffic safety. BGP route hijack attacks can only be detected by (i) constant monitoring and correlation of the BGP updates and routing tables information, and (ii) detection of large delay variations on multiple and heterogeneous traffic paths. However, the intrinsic nature of BGP that relies on absolute trust on their peers, and the massive amount of routing information exchanged worldwide, limits the capability of ISP to detect BGP hijack attacks. A few commercial services have arise to provide corporate clients with tools to monitor and detect traffic redirection attacks based on the detection of traffic delay anomalies. However, these services have a high cost and put all the responsibility of guaranteeing the corporate network assets security on a third party.

This project proposes the development of a world-wide distributed probing platform (with centralize control) to detect traffic routing variations based on round-trip times deviations inferred from multiple and disperse geographic locations. The detection platform is aimed to satisfy the needs of corporate users and not ISP. Corporate uses must be able to protect their network assets by detecting any threatening attack without detailed information about BGP routing information, which are usually very restricted to ISP. Upon detection, a corporate customer cannot act in terms of Internet-scale routing but can warn its network service providers and request consequent actions. Nevertheless, upon warning, the corporate customer can locally deploy extreme security policies, like terminating sensible deferrable communications (database/information synchronization, audio/video calls) and increasing the required encryption level for public services.

The need for an world-wide monitoring infrastructure is for most corporate clients an impassable barrier due to costs and technical difficulties. Therefore, we propose the development of low easily deployable and easily managed traffic redirection detection platform. The platform deployment, management and alarm handling will be under the full responsibility of the corporation using it. Moreover, this platform should be flexible to include any additional monitoring or data processing requirements specific for each corporate user needs. Also, the capital expenditure and operations costs should be low. Therefore, the platform should be based on very-low cost virtual servers spread over the world and include very robust control and detection algorithms to handle eventual server/network probes failures.

Software

DARTEG Platform Repository, URL: https://bitbucket.org/pjsalvador/darteg/.

Internet quasi-realistic graph website, URL: http://graph.netconfs.net/.

Publications

Book Chapter

Paulo Salvador, "Client Side Localization of BGP Hijack Attacks with a Quasi-Realistic Internet Graph", in e-Business and Telecommunications, Communications in Computer and Information Science, Mohammad S. Obaidat, Enrique Cabello(Eds.), Springer, 2019, ISBN: 978-3-030-11038-3. URL: https://www.springer.com/us/book/9783030110383

Journal Papers

M.R Oliveira, M Vilela, A Pacheco, R Valadas, P Salvador, "Extracting Information from Interval Data Using Symbolic Principal Component Analysis", Austrian Journal of Statistics 46 (3-4), 79-87, 2017. doi: 10.17713/ajs.v46i3-4.673. URL: https://doi.org/10.17713/ajs.v46i3-4.673

C Pascoal, MR Oliveira, A Pacheco, R Valadas. Theoretical evaluation of feature selection methods based on mutual information. Neurocomputing 226, 168-181 (2017), doi: 10.1016/j.neucom.2016.11.047. URL: https://doi.org/10.1016/j.neucom.2016.11.047

F. Macedo, MR Oliveira, A Pacheco, R Valadas. Theoretical foundations of forward feature selection methods based on mutual information. Neurocomputing 325, 67-89 (2019), doi: 10.1016/j.neucom.2018.09.077. URL: https://doi.org/10.1016/j.neucom.2018.09.077

Conference Papers

P. Salvador, "A Quasi-realistic Internet Graph", 14th International Joint Conference on e-Business and Telecommunications, vol. 3: DCNET, 24-26 July 2017. doi:10.5220/0006440100270032. URL: http://dx.doi.org/10.5220/0006440100270032

M. Silva , A. Nogueira, and P. Salvador, "Modular Platform for Customer-Side Detection of BGPRedirection Attacks" 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), 22-24 January 2018, Funchal, Madeira, Portugal, pp. 199-206. doi:10.5220/0006543601990206. URL: http://dx.doi.org/10.5220/0006543601990206

A.Subtil, M.R. Oliveira, R. Valadas, A. Pacheco, and P. Salvador. Detecting Internet-Scale Traffic Redirection Attacks using Latent Class Models. Proceedings of the 14th International Conference on Information Assurance and Security, December 13-15, 2018, Porto, Portugal.

Msc Dissertations

José Rosa,"Customer-Side Detection of BGP Routing Attack", Universidade de Aveiro, 26 Julho 2016. URL:https://ria.ua.pt/handle/10773/17808

Mário Pina, "Monitorização de Desempenho e Previsão de Falhas em Servidores Cloud", Universidade de Aveiro, 26 Julho 2016. URL: http://hdl.handle.net/10773/17854

Marco Filipe Moutinho da Silva, "Modular platform for detection of BGP routing attacks", Universidade de Aveiro, 20 de dezembro de 2017.

José da Fonseca, "Location of Internet Entities", Universidade de Aveiro, July 2018.

Filipa Piedade, "Detection of Internet-Scale Traffic Redirection", Instituto Superior Técnico, Universidade de Lisboa, 2017. URL: https://fenix.tecnico.ulisboa.pt/cursos/mma/dissertacao/1409728525632004

Research Team

Project funding


This work is funded by FCT/MEC through national funds and when applicable co-funded by FEDER – PT2020 partnership agreement under the project, DARTEG - PTDC/EEI-TEL/5708/2014.